Nobody account on AIX

[sunilprao]

Hi guys,

I am new to IBM AIX. I was trying to enable nobody account just like any normal user that one can run a telnet session with nobody userid. But even after changing the password, I get this error when I try to login with nobody username.

AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login: nobody
nobody's Password:
3004-302 Your account has expired; please see the system administrator.

Any help would be greatly appreciated. I need to get this running as my product requires that the owner should be nobody. i've had no problems on Solaris.

Thanks
Sunil

 

[crowe]

what does the line for nobody in the /etc/passwd look like?

crowe

 

[sunilprao]

Thanks for the response. the nobody account has following entry in /etc/passwd.

nobody:!:-2:-2::/:

 

[aixqueen]

Nobody is a reserved account...you really shouldnt be using it.......It is used in
uucp, ttys printing.... and a bunch of other things...not as a normal user.
You may mess up your system where not much works.....it is supposed to be :
in the /etc/passwd file........

nobody:!:4294967294:4294967294::/:

and in the group file
nobody:!:4294967294:nobody,lpd

 

[Tison]

DO NOT USE THE NOBODY ACCOUNT>

Create a new account like "public" or "common" and let your telnet users use that.

 

[silvaril]

Sunil, why would you require the nobody UID?

If that is just they way you wrote it on Solaris, you might want to change it, as there are serious security flaws in having it runnning that way not just on AIX, but also on any other *nix OS you port to.

Esp. if, as you suggest, you force ownership of various files to that UID.

A dedicated user/group ID for your application would be the better path to follow, and allow for port compatibility.



If you have a particular reason for it, then please advise us accordingly.

Thanking You

Shane

 

[sunilprao]

Hi,

We basically have a product which runs on weblogic and weblogic's recommendation is to use nobody account as it is least privileged account. But even I had my own hesitations to use nobody account. But as my engineering department had used nobody as a standard account, we had to bring up this product with nobody as owner. I can get it running if it is owned by someother user. I was just wondering if there was a way to actually use nobody account just like another account.

Thanks
Sunil

 

[silvaril]

Hi Sunil,

Yes, nobody is generally, (by default), the least privileged account.

But only if you aren't using it, and thereby giving it privileges.

Giving nobody file permission privileges and logon privileges completely defeats the initial reason for using it.

Yes you can alter the nobody UID to be the same as any other UID on your system, but then it no longer fulfils it's own function.

Very self-defeating, and hence the reason everyone here is suggesting that you create a seperate UserID for your application.

That way, you can tie it down to just the permissions it needs to run things, and still have a nobody UID that cannot access even your applications bibs and bobs.

And as a plus, your application becomes a lot more portable.

If you would like these statements better prepared, for use in a business case for instance, just let me know.

Have Fun

Shane